As users access more and more services remotely over the Internet, they have also accumulated a variety of disparate passwords for accessing those services. In some cases, the users attempt to manage these passwords themselves, which becomes difficult to achieve because frequently a service will have its own requirements with respect to the format of its passwords and with respect to password policies. For example, one service may require that a password have at least one numeric character and an uppercased alphabetic character. Conversely, some others may require a punctuation character. Still further, some services may require that passwords be re-established or reset after a predefined elapsed period of time. Thus, the format and policies will often vary from service to service. As a result, a user can quickly become overwhelmed with managing passwords for services that the user interacts with.
To make management easier, some users may attempt to keep a single password for all services. Thus, when one service's policy requires a change, the user manually changes the password with all the other remaining services. This approach also has some security risks, since if the password is compromised, the password can be used with all other services associated with the user. Moreover, intruders will often assume users have the same password because of the management challenges associated with maintaining passwords. Thus, if a password is compromised it is entirely likely that the other services of the users are also going to be compromised.
Some directory services or password services have somewhat alleviated the problem by permitting users to store their various passwords in a central repository. Users access the central repository with a different key or password that identifies them to the directory service and from there the users are either supplied their encrypted passwords for decryption or the directory service supplies selective passwords to desired services on behalf of the users. In some cases, the directory service will not even be capable of decrypting the encrypted passwords. This is convenient for the users and is generally a secure approach. Additionally, with an approach such as this a user is not tempted to have a single password for all the various services of the user, since management can be facilitated through the password service.
However, there is still a significant amount of manual effort that is required of a user to maintain his/her list of passwords, because when changes are needed for a particular password the user must request the password from the directory service, decrypt it, and then submit it to the service and make the change when a policy of the service dictates that the password must be changed after an expiring period. The newly established password must then be encrypted and updated to the central repository of the password service.
Thus, although users may not have to manually keep track of all their various passwords if they deploy an automated service, the users still have to manually manage the re-establishing of these passwords as policies are enforced with the various services to which the passwords relate.